Enabling & Managing Keys.
How to create, configure, and revoke Agent API keys.
Agent keys are managed through the partner dashboard. Administrators control which partners can use the Agent API, and partners create and revoke their own keys.
Prerequisites
Before a partner can create agent keys:
- Feature flag is enabled — Add
FEATURE_AGENT_API=trueto your.envfile. The Agent API is off by default. - Administrator enables Agent API — The
Agent APIpermission must be turned on for the partner (see Partner Permissions) - Partner has at least one club — Most agent endpoints operate within a club context
Enabling Agent API Access
As an Administrator:
- Navigate to Partners in the admin sidebar
- Click on the partner's name to edit their account
- Switch to the Permissions tab
- Enable the Agent API permission
- Optionally, set an Agent Keys Limit (how many keys this partner can create; -1 for unlimited)
- Click Save
Once enabled, the partner will see Agent Keys under Integrations in their sidebar.
Creating a Key
As a Partner:
- Navigate to Integrations → Agent Keys in the sidebar
- Click Create
- Fill in:
- Name — A descriptive label (e.g., "POS Terminal Downtown", "Zapier Integration")
- Scopes — Choose a permission level preset
- Expires At — Optional expiration date
- Click Save
One-Time Key Display
After saving, a dialog shows the full key:
rl_agent_a8f3k2m1x9v4b7n2p5q8r1t6w3y0z4d7f0h3j6l9m2o5r8u1w4z7c0e3...
⚠️ Copy this key immediately. After closing this dialog, the full key is never shown again. Only the prefix (
rl_agent_a8f3k2m1) remains visible. If you lose the key, you must create a new one.
Permission Level Presets
When creating a key, you choose from these presets:
| Preset | Scopes Granted | Use Case |
|---|---|---|
| View Only | read |
Dashboards, reporting, balance checks |
| Point of Sale | read, write:transactions, write:rewards |
Point-of-sale earn, burn, and reward management |
| Full Management | read, write:cards, write:rewards, write:stamps, write:vouchers, write:clubs |
General integrations (Zapier, Make) |
| Full Access | admin (super-scope) |
Complete programmatic control |
After creation, scopes cannot be changed. To use different scopes, create a new key.
See Scopes & Permissions for details on what each scope allows.
Viewing Keys
The Agent Keys list shows:
| Column | Description |
|---|---|
| Name | Your descriptive label |
| Key Prefix | First characters of the key (for identification in logs) |
| Active | Whether the key is currently active |
| Expiry Date | Expiration date, if set |
| Last Used | When the key was last used (updated every 5+ minutes) |
| Created | When the key was created |
Revoking a Key
To revoke a key immediately:
- Navigate to Integrations → Agent Keys
- Find the key in the list
- Click Delete to remove it permanently, or click Edit and toggle Active off to deactivate it (reversible)
- Confirm the action
What happens when you revoke a key:
- All requests using that key immediately receive
AUTH_KEY_REVOKED(401) - The key record remains in the database for audit trail purposes
- Existing activity log entries for that key are preserved
- Any integration using this key must be updated with a new key
⚠️ Revoking is immediate and irreversible. There is no undo. If you accidentally revoke a production key, create a new one and update your integration.
Key Rotation Strategy
For security-critical integrations, rotate keys periodically:
- Create a new key with the same scopes
- Update your integration to use the new key
- Verify the new key works (call
GET /api/agent/v1/health) - Revoke the old key
This ensures zero downtime during rotation.
Member Keys
Members (customers) can also create agent keys to access their own data from external apps and wallet integrations.
Creating a Member Key
- Sign in to the member dashboard
- Open the user menu and click Agent Keys
- Click Create
- Choose a name and permission preset
- Copy the key from the one-time display dialog
Member Key Differences
| Aspect | Partner Keys | Member Keys |
|---|---|---|
| Prefix | rl_agent_ |
rl_member_ |
| Default expiration | None (permanent) | 90 days |
| Max keys | Admin-configurable (default 5) | Fixed at 3 |
| Rate limit ceiling | 1,000 RPM | 120 RPM (automatic) |
| Export | Available | Not available |
| Scopes | 4 presets | 2 presets |
| Rate limit setting | Configurable | Not shown (automatic) |
Member Permission Presets
| Preset | Scopes | Use Case |
|---|---|---|
| View Only | read |
Balance checks, browsing rewards |
| Full Access | read, write:redeem, write:profile |
Full wallet: claim rewards + save cards + update profile |
Restrictions
- Anonymous members cannot create keys — Only verified members with an email address can access agent key management
- 90-day default expiration — Member keys expire after 90 days by default. Members can set a custom date, but the system enforces a default for consumer-facing key security
Limits
Partner keys: Administrators can set how many keys each partner can create via Agent Keys Limit in Partner Permissions. A value of -1 means unlimited.
Member keys: Fixed at 3 keys per member. This is not configurable.
Related Topics
- Authentication — How keys authenticate requests
- Scopes & Permissions — What each scope allows
- Partner Permissions — Admin controls for partner access
- Audit Logging — Monitor key usage